10/09/2020 08:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223463 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223462 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:38:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223461 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:38:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223464 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f0 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223474 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223473 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223472 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e8 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223471 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223470 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223469 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x260 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x250 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223468 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x20c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223467 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x250 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223466 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x214 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x20c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Process Creation OpCode=Info RecordNumber=223465 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1a0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223486 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223485 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223484 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B28 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223483 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B16 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223482 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B28 Linked Logon ID: 0x58B16 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223481 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x58B16 Linked Logon ID: 0x58B28 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223480 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2a4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223479 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223478 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223477 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223476 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223475 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x51D7A 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223492 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223491 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223490 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223489 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223488 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:39:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223487 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223494 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223493 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223502 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x613FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223501 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223500 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223499 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223498 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Special Logon OpCode=Info RecordNumber=223497 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Logon OpCode=Info RecordNumber=223496 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:39:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other System Events OpCode=Info RecordNumber=223495 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:39:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Other System Events OpCode=Info RecordNumber=223503 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223507 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0xa68 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎10‎-‎09T08:39:38.700704000Z New Time: ‎2020‎-‎10‎-‎09T08:39:38.689000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223506 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223505 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:39:38 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x14 User Account Control: 'Password Not Required' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:39:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=User Account Management OpCode=Info RecordNumber=223504 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-V5DC57V$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-V5DC57V Process Information: Process ID: 0xa0c Process Name: C:\Windows\System32\net1.exe 10/09/2020 08:39:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Security State Change OpCode=Info RecordNumber=223509 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4e8 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎10‎-‎09T08:39:44.130546000Z New Time: ‎2020‎-‎10‎-‎09T08:39:44.117000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:39:44 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-V5DC57V TaskCategory=Service shutdown OpCode=Info RecordNumber=223508 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 08:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223512 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b8 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223511 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223510 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223522 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223521 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223520 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223519 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b8 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x238 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223518 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x230 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223517 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x230 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223516 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223515 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x230 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223514 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ec New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223513 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223540 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223539 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223538 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223537 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223536 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223535 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223534 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223533 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223532 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA094 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223531 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA07F Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223530 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA094 Linked Logon ID: 0xA07F Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223529 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA07F Linked Logon ID: 0xA094 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223528 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x284 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223527 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223526 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223525 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223524 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223523 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5542 10/09/2020 08:40:30 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223541 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process Information: Process ID: 0x448 Name: C:\Windows\System32\rundll32.exe Previous Time: ‎2020‎-‎10‎-‎09T08:40:30.046116000Z New Time: ‎2020‎-‎10‎-‎09T08:40:30.031000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223624 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223623 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223622 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223621 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Domain Users Account Domain: EC2AMAZ-I44GJRK Old Account Name: None New Account Name: None Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4737 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223620 Keywords=Audit Success Message=A security-enabled global group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: ATTACKRANGE\Domain Users Group Name: None Group Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223619 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223618 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: DefaultAccount Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223617 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223616 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Guest Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223615 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:39:38 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223614 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:39:38 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223613 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223612 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\System Managed Group Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223611 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\System Managed Group Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223610 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223609 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Storage Replica Administrators Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223608 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Storage Replica Administrators Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223607 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223606 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Management Users Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223605 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Management Users Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223604 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223603 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Access Control Assistance Operators Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223602 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Access Control Assistance Operators Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223601 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223600 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Hyper-V Administrators Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223599 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Hyper-V Administrators Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223598 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223597 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Management Servers Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223596 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Management Servers Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223595 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223594 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Endpoint Servers Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223593 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Endpoint Servers Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223592 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223591 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\RDS Remote Access Servers Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223590 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\RDS Remote Access Servers Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223589 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223588 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Certificate Service DCOM Access Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223587 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Certificate Service DCOM Access Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223586 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223585 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Event Log Readers Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223584 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Event Log Readers Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223583 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223582 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Cryptographic Operators Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223581 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Cryptographic Operators Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223580 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223579 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\IIS_IUSRS Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223578 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\IIS_IUSRS Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223577 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223576 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Distributed COM Users Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223575 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Distributed COM Users Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223574 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223573 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Log Users Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223572 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Log Users Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223571 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223570 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Performance Monitor Users Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223569 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Performance Monitor Users Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223568 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223567 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: NONE_MAPPED Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223566 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: NONE_MAPPED Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223565 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223564 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Network Configuration Operators Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223563 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Network Configuration Operators Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223562 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223561 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Remote Desktop Users Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223560 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Remote Desktop Users Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223559 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223558 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Replicator Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223557 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Replicator Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223556 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223555 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Backup Operators Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223554 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223553 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223552 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Guests Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223551 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Guests Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223550 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223549 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Users Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223548 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Users Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223547 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223546 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Administrators Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223545 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223544 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4781 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223543 Keywords=Audit Success Message=The name of an account was changed: Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: BUILTIN\Print Operators Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: - 10/09/2020 08:40:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4735 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223542 Keywords=Audit Success Message=A security-enabled local group was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Print Operators Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: - 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223633 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223632 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223631 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223630 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223629 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223628 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223627 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223626 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x480 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223625 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223642 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223641 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223640 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223639 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223638 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223637 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223636 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223635 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223634 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1B605 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223646 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223645 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223644 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:40:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223643 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:40:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223648 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223647 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223650 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:40:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223649 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2b8 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:40:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223653 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:40:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223652 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:40:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223651 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223656 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK 10/09/2020 08:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223655 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:40:58 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x10 User Account Control: 'Password Not Required' - Disabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:40:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223654 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xca8 Process Name: C:\Windows\System32\net1.exe 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223663 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x77FF1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223662 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x77FF1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa80 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223661 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa80 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223660 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223659 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223658 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:41:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223657 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x46c Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:41:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223664 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3e4 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:41:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4616 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223666 Keywords=Audit Success Message=The system time was changed. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4b4 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2020‎-‎10‎-‎09T08:41:12.640362600Z New Time: ‎2020‎-‎10‎-‎09T08:41:12.631000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. 10/09/2020 08:41:12 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Service shutdown OpCode=Info RecordNumber=223665 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 08:57:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223669 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223668 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=223667 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:57:41 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223670 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223675 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2fc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223674 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223673 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x304 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2fc Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223672 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2fc New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1f4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223671 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=223680 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x710E 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223679 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security State Change OpCode=Info RecordNumber=223678 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223677 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3a0 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x31c Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Process Creation OpCode=Info RecordNumber=223676 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x38c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x31c Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223695 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B8E Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223694 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B79 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223693 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B8E Linked Logon ID: 0x10B79 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223692 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x10B79 Linked Logon ID: 0x10B8E Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223691 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x358 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223690 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223689 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223688 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223687 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223686 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223685 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223684 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223683 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223682 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223681 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223710 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223709 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223708 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223707 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x16972 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223706 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223705 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223704 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223703 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223702 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223701 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223700 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223699 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223698 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223697 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:57:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223696 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:57:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223712 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:57:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223711 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223714 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223713 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223718 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xff4 Process Name: C:\Windows\System32\net1.exe 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223717 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223716 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223715 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223720 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK 10/09/2020 08:58:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223719 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:58:14 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223727 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223726 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb50 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223725 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb50 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223724 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223723 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Guest Account Name: Guest Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223722 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\DefaultAccount Account Name: DefaultAccount Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223721 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0xaa0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4724 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223732 Keywords=Audit Success Message=An attempt was made to reset an account's password. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4738 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223731 Keywords=Audit Success Message=A user account was changed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Target Account: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Changed Attributes: SAM Account Name: Administrator Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: 10/9/2020 8:58:19 AM Account Expires: Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: - 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223730 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x0 Process Name: - 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4798 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=User Account Management OpCode=Info RecordNumber=223729 Keywords=Audit Success Message=A user's local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 User: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Process Information: Process ID: 0x0 Process Name: - 10/09/2020 08:58:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223728 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223742 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223741 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223740 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223739 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223738 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223737 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223736 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223735 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=System Integrity OpCode=Info RecordNumber=223734 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:58:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Other System Events OpCode=Info RecordNumber=223733 Keywords=Audit Success Message=Key file operation. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x71B78 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:58:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223744 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223743 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223758 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223757 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8449B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223756 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8449B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223755 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223754 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223753 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84365 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223752 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84365 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223751 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223750 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223749 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223748 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x83B6F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223747 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x83B6F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223746 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223745 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223870 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223869 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88630 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223868 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88CA1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223867 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88CA1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223866 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223865 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223864 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88C67 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223863 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88C67 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223862 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88C67 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223861 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223860 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223859 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223858 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88630 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223857 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88630 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223856 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223855 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223854 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x882AF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223853 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88556 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88556 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223851 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223850 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223849 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88525 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223848 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88525 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223847 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88525 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223846 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223845 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223844 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x883EA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223843 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x883EA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223842 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x883EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223841 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223840 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223839 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x882AF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223838 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x882AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223837 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223836 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223835 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223834 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D3F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223833 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D3F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223832 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223831 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223830 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84365 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223829 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86A6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223828 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D07 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223827 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87D07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223826 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223825 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223824 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87CD6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223823 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87CD6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223822 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x87CD6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223821 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223820 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223819 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86B8A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223818 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86B8A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223817 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86B8A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223816 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223815 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223814 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86A6C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223813 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x86A6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223812 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223811 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223810 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223809 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84C22 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223808 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864F8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223807 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864F8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223806 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223805 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223804 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864C0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223803 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x851A7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223802 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864C0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223801 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x864C0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223800 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223799 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223798 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8648F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223797 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8648F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223796 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8648F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223795 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223794 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223793 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x852AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223792 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x852AD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223791 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x852AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223790 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223789 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223788 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x851A7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223787 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x851A7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223786 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223785 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223784 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223783 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8449B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223782 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84C22 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223781 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84C22 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223780 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223779 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223778 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BE5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223777 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8497C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BE5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223775 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BE5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223774 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223773 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223772 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BAB Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223771 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BAB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223770 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84BAB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223769 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223768 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223767 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84A9E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223766 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84A9E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223765 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x84A9E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223764 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223763 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223762 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8497C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223761 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8497C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223760 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223759 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B24D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223914 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C49C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223913 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C49C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223912 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223911 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223910 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C46B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223909 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C46B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223908 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C46B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223907 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223906 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223905 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B367 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223904 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B367 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223903 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B367 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223902 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223901 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223900 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B24D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8B24D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223898 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223897 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223896 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223895 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x88CA1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223894 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABFF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223893 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223892 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223891 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223890 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABC7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223889 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8921A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223888 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABC7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223887 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8ABC7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223886 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223885 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223884 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8AB96 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223883 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8AB96 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223882 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8AB96 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223881 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223880 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223879 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x892EF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223878 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x892EF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223877 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x892EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223876 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223875 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223874 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8921A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223873 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8921A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223872 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223871 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223928 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CC5F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223927 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CC5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223926 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223925 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223924 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CB4E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223923 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CB4E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223922 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223921 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223920 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223919 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C631 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223918 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C631 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223917 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223916 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223936 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8F358 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223935 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8F358 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223934 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223933 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223932 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8E89E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223931 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8E89E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223930 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223929 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223937 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8C631 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xddc Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223951 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2304 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223950 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CB4E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223949 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2304 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223948 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2304 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223947 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223946 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223945 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA22D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223944 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA22D3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223943 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA22D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223942 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223941 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223940 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8F358 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223939 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8E89E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223938 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0x8CC5F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223968 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA48F7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223967 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA48F7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223966 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223965 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223964 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2BC2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223963 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2BC2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223962 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223961 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223960 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2AC5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223959 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2AC5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223958 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223957 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223956 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223955 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA23FD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223954 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA23FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223953 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223952 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224004 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA7F10 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224003 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA7F10 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224002 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224001 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224000 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA632A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223999 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA632A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223998 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223997 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223996 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA622A Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223995 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA622A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223994 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223993 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=223992 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223991 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5D57 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223990 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5D57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223989 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223988 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223987 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA23FD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223986 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C5C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223985 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2AC5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223984 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C5C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223983 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C5C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223982 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223981 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223980 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C2B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223979 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C2B Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223978 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5C2B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223977 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223976 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223975 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA59B9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223974 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA48F7 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=223973 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA2BC2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=223972 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA59B9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223971 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA59B9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=223970 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=223969 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224008 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA8B7F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224007 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA8B7F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224006 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:58:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224005 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224013 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xC2CD0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224012 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xC2CD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224011 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224010 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224009 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA8B7F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224025 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224024 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224023 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224022 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224021 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224020 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224019 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224018 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224017 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224016 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x804 Process Name: C:\Windows\System32\VSSVC.exe 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224015 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:07 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224014 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x38c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224040 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA5D57 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224039 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE551 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224038 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA622A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224037 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE551 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224036 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE551 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224035 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224034 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224033 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE520 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224032 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE520 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224031 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE520 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224030 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224029 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224028 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xC2CD0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224027 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA7F10 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224026 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xA632A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224057 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD0A85 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224056 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD0A85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224055 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224054 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224053 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCED9F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224052 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCED9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224051 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224050 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224049 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCECA2 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224048 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCECA2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224047 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224046 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224045 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224044 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE63F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224043 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE63F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224042 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224041 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224093 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD40E6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224092 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD40E6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224091 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224090 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224089 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD24C9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224088 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD24C9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224087 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224086 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224085 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD23C8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224084 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD23C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224083 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224082 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224081 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224080 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1F11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224079 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1F11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224078 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224077 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224076 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCE63F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224075 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1E31 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224074 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCECA2 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224073 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1E31 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224072 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1E31 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224071 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224070 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224069 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1DFF Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224068 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1DFF Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224067 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1DFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224066 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224065 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224064 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1748 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224063 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD0A85 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224062 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xCED9F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224061 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1748 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224060 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1748 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224059 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224058 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Security Group Management OpCode=Info RecordNumber=224117 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x414 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224116 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD547D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224115 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD547D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224114 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224113 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224112 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD1F11 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224111 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD539E Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224110 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD23C8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224109 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD539E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224108 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD539E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224107 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224106 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224105 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD536D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224104 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD536D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224103 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD536D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224102 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224101 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224100 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD4DBA Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224099 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD40E6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224098 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD24C9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224097 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD4DBA Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224096 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD4DBA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224095 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224094 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224157 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD93F1 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224156 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD93F1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224155 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224154 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224153 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD931D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224152 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD931D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224151 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224150 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224149 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8FBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224148 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8FBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224147 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224146 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224145 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8F62 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224144 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8F62 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224143 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD8F62 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224142 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224141 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224140 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6EE4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224139 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6EE4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224138 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6EE4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224137 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224136 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224135 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6E21 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224134 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6E21 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224133 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224132 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224131 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6DF0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224130 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6DF0 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224129 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD6DF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224128 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224127 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224126 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5A27 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224125 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5A27 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224124 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5A27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224123 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224122 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224121 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5936 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224120 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD5936 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224119 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224118 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224162 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA78D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224161 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA78D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224160 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224159 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224158 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xD93F1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224186 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224185 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224184 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224183 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_elambkup_0bc02aa0c28485f3.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224182 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224181 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224180 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224179 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x64 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224178 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224177 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224176 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x58 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224175 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAE0D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224174 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAE0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224173 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224172 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224171 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAD0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224170 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAD0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224169 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224168 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224167 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA97F Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224166 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA97F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224165 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224164 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224163 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDA78D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Special Logon OpCode=Info RecordNumber=224197 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDC71E Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224196 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDC71E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: EC2AMAZ-I44GJRK Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logon OpCode=Info RecordNumber=224195 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x564 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Credential Validation OpCode=Info RecordNumber=224194 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-I44GJRK Error Code: 0x0 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Logoff OpCode=Info RecordNumber=224193 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: EC2AMAZ-I44GJRK Logon ID: 0xDAE0D Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224192 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224191 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224190 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x88 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224189 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x88 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224188 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x7c Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224187 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: EC2AMAZ-I44GJRK$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0xe6c Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD) 10/09/2020 08:59:18 AM LogName=Security SourceName=Microsoft-Windows-Eventlog EventCode=1100 EventType=4 Type=Information ComputerName=EC2AMAZ-I44GJRK TaskCategory=Service shutdown OpCode=Info RecordNumber=224198 Keywords=Audit Success Message=The event logging service has shut down. 10/09/2020 08:59:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224200 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4826 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other Policy Change Events OpCode=Info RecordNumber=224199 Keywords=Audit Success Message=Boot Configuration Data loaded. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Off Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224209 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x35c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224208 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x354 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2cc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224207 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x30c New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224206 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x2c4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224205 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224204 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224203 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x27c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224202 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:44 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Process Creation OpCode=Info RecordNumber=224201 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24c New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1c0 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224239 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x140C4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224238 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224237 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224236 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224235 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224234 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224233 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224232 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224231 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5033 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224230 Keywords=Audit Success Message=The Windows Firewall Driver started successfully. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224229 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224228 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224227 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224226 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224225 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224224 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224223 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224222 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224221 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4ED Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224220 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4C7 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224219 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4ED Linked Logon ID: 0xA4C7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224218 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Window Manager\DWM-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xA4C7 Linked Logon ID: 0xA4ED Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224217 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x30c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224216 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224215 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224214 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224213 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x354 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4902 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224212 Keywords=Audit Success Message=The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x553B 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224211 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4608 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security State Change OpCode=Info RecordNumber=224210 Keywords=Audit Success Message=Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized. 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5024 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224246 Keywords=Audit Success Message=The Windows Firewall service started successfully. 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224245 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224244 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224243 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224242 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224241 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Backup Operators Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224240 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224261 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x299BD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224260 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x299BD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224259 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224258 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224257 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x29949 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224256 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x29949 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224255 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224254 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4799 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Security Group Management OpCode=Info RecordNumber=224253 Keywords=Audit Success Message=A security-enabled local group membership was enumerated. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x408 Process Name: C:\Windows\System32\svchost.exe 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224252 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x292B7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224251 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x292B7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224250 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224249 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5061 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=System Integrity OpCode=Info RecordNumber=224248 Keywords=Audit Success Message=Cryptographic operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: tp-311d0843-98b0-4f90-836e-7f5cb6a401a8 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 10/09/2020 08:59:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5058 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Other System Events OpCode=Info RecordNumber=224247 Keywords=Audit Success Message=Key file operation. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a66784502aa0ecc0e4668d873ec398e1_a5f018ff-4bb8-43ad-9826-7b5a47e80342 Operation: Read persisted key from file. Return Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224292 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AC1C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224291 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAF4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224290 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AEBD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224289 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAF4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224288 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224287 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224286 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224285 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAC3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224284 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAC3 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224283 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2BAC3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224282 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224281 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224280 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AF59 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224279 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AF59 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224278 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AF59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224277 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224276 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224275 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AEBD Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224274 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AEBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224273 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224272 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224271 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AC1C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224270 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2AC1C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224269 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224268 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224267 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2ABD9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224266 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2ABD9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224265 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x2ABD9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224264 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224263 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logoff OpCode=Info RecordNumber=224262 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x299BD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224304 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x3228D Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224303 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x3228D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224302 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224301 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224300 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x321E9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224299 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x321E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224298 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224297 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224296 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x31A0C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224295 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x31A0C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224294 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224293 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224312 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x34DB4 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x34DB4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224310 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224309 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Special Logon OpCode=Info RecordNumber=224308 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x345FB Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224307 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: WIN-DC-1796611 Logon ID: 0x345FB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: WIN-DC-1796611 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4648 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Logon OpCode=Info RecordNumber=224306 Keywords=Audit Success Message=A logon was attempted using explicit credentials. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Administrator Account Domain: WIN-DC-1796611 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x5c0 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. 10/09/2020 08:59:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Credential Validation OpCode=Info RecordNumber=224305 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-1796611 Error Code: 0x0 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224472 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224471 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x51c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224470 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224469 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224468 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224467 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224466 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224465 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224464 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224463 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224462 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224461 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224460 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224459 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224458 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224457 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224456 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224455 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224454 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224453 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224452 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224451 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224450 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224449 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224448 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224447 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224446 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224445 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224444 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224443 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224442 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224441 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224440 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224439 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224438 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224437 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224436 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224435 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224434 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224433 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224432 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224431 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224430 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224429 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224428 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224427 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224426 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224425 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224424 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerCache_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224423 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServer_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224422 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Types.ps1xml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224421 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServerPsProvider.Format.ps1xml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224420 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsServer\DnsServer.psd1 Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224419 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dnsperf.dll Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224418 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneUnsign_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224417 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransferPolicy_v1.0.0.cdxml Handle ID: 0x7b0 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224416 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneTransfer_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224415 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneSign_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224414 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneScope_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224413 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneKeyMasterRole_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224412 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneDelegation_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224411 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZoneAging_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224410 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerZone_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224409 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerVirtualizationInstance_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224408 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustPoint_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224407 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerTrustAnchor_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224406 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStubZone_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224405 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerStatistics_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224404 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKeyRollover_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224403 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSigningKey_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224402 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSetting_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224401 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerSecondaryZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224400 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerScavenging_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224399 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRootHint_v1.0.0.cdxml Handle ID: 0x3ac Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224398 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimitingExceptionlist_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224397 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResponseRateLimiting_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224396 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordPTR_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224395 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordMX_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224394 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDS_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224393 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordDnsKey_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224392 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordCNAME_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224391 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAging_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224390 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordAAAA_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224389 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecordA_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224388 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerResourceRecord_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224387 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursionScope_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224386 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerRecursion_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224385 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerQueryResolutionPolicy_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224384 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPrimaryZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224383 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerPolicy_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224382 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerKeyStorageProvider_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224381 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalQueryBlockList_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224380 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerGlobalNameZone_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224379 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerForwarder_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224378 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerEdns_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AI New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224377 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDsSetting_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224376 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecZoneSetting_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224375 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDnsSecPublicKey_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224374 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDirectoryPartition_v1.0.0.cdxml Handle ID: 0x7bc Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224373 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerDiagnostics_v1.0.0.cdxml Handle ID: 0x7b8 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224372 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerConditionalForwarder_v1.0.0.cdxml Handle ID: 0x7b4 Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224371 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsServer\PS_DnsServerClientSubnet_v1.0.0.cdxml Handle ID: 0x72c Process Information: Process ID: 0xe80 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) 10/09/2020 09:00:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4907 EventType=0 Type=Information ComputerName=win-dc-1796611 TaskCategory=Audit Policy Change OpCode=Info RecordNumber=224370 Keywords=Audit Success Message=Auditing settings on object were changed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-1796611$ Account Domain: WORKGROUP Logon ID: 0x